b'\x0cJohn Berry                                                                                          2\n\n\n\n\nWe recommend that the Office of the Chief Information Officer review the security of the\npassword reset feature of all OPM systems that contain PII. During this review we also\ndetermined that the password complexity requirements for        are not compliant with OPM\npolicy, and recommend that the appropriate system modifications be implemented.\n\nScope and Methodology\n\nWe reviewed situation room reports related to the          security breach and the\nvulnerability tip. We also independently tested the process for resetting passwords for\n       and        to evaluate the risk that a user\xe2\x80\x99s password could be changed by someone other\nthan the individual owning the account.\n\nOur review was not conducted in accordance with Generally Accepted Government Auditing\nStandards (GAGAS). The nature and scope of the work performed was consistent with that\nexpected of a GAGAS audit; however, because we consider this to be a review, the\ndocumentation, reporting, and quality control standards are not as stringent.\n\nReview Results\n\nPrior to the security breach, a user could reset their   password by entering\n                  and\n                                                                                            After\nthe security breach, the password reset feature for    was modified so that users\n                                they can no longer conduct the entire transaction directly on the\npublic-facing website.\n\nAn OPM employee can create their own          account at the system\xe2\x80\x99s website by entering t\n                           . Passwords for existing accounts can be reset on the website with\nthe same information. During our review, we also determined that                      are not\nenforced by       we were able to create a password\n             ). The OPM Information Security and Privacy Policy Handbook states that\ninformation systems must enforce minimum password complexity of at least                    ,\n                                                                      .\n\nIn order to reset an       password on the system\xe2\x80\x99s website, a user must enter the\n                                                            , and\n       If a user does not know their           it can also be obtained directly on the website by\nentering\nUsers must\n                    . However, like        these\n\x0cJohn Berry                                                                                        3\nAs an additional security feature,\n                                               Although this control would alert an authorized\nuser that their account was breached, it does nothing to prevent an attack from occurring.\n\nWe believe that the issues identified in these three OPM systems represent an agency-wide\nsecurity vulnerability. Although it is typically more convenient for a user to change their\npassword directly on a system\xe2\x80\x99s website, this feature increases the risk that an attacker that\nknows enough information about a user could gain unauthorized access to the system. This risk\nis increased greatly for systems that have a public-facing website, as anyone with an Internet\nconnection could attempt to hack user accounts. A more secure option is\n\n                                              Once this additional control is implemented, an\nattacker would not only need to\n                                                                   .\n\nRecommendation 1\nWe recommend that       be modified to enforce the strict password complexity requirements in\naccordance with OPM\xe2\x80\x99s Information Security and Privacy Policy Handbook.\n\nRecommendation 2\nWe recommend that          be modified to                                       that request to\ncreate new accounts or reset the passwords of existing accounts.\n\nRecommendation 3\nWe recommend that the Office of the Chief Information Officer conduct a review to identify\nother OPM systems that allow users to\n               . The systems identified should be modified so that a\n                                                                              The\n         should also be strengthened so that\n\n\ncc:    Elizabeth A. Montoya\n       Chief of Staff\n\n\n       Director, Executive Secretariat and Ombudsman\n\n       Matthew E. Perry\n       Chief Information Officer\n\n\n       Director\n       Internal Oversight & Compliance\n\x0cJohn Berry                                 4\n\n\n\n      Deputy Director\n      Internal Oversight & Compliance\n\n\n      Chief, Policy and Internal Control\n\x0c'